Detecting and Mitigating a CryptoLocker Attack with EnCase

Alfred Chung

The most recent Verizon Data Breach Investigations Report (DBIR) revealed that crimeware is a serious problem for the construction, information, and utilities industries, representing over 30 percent of incidents. Among the most devilish in the ransomware trojan category is CryptoLocker.

How CryptoLocker Works
CryptoLocker arrives as a ZIP file attached to a seemingly innocent email. Once unzipped, the malware installs its payload in the user profile folder, adds a key to the registry to initiate run on startup, then starts phoning home to a command-and-control server. After connection, the server pushes out a 2048-bit RSA key pair and sends the public key back to the computer, encrypts files across local hard drives and mapped network drives with the public key, and logs each encrypted file to a registry key. At that point, the user gets a message that his or her files have been encrypted and a Bitcoin ransom is demanded.
Nefarious, right? But not unbeatable. We now know that CryptoLocker leaves behind a bunch of registry entries and also copies files to the Application Data folder to ensure persistence. This means that there’s a treasure trove of artifacts on the infected endpoint, including:

The most interesting thing about the malware is the way it contacts the command-and-control server. There’s an algorithm in the malware that dynamically generates domain names for potential C2 servers, which are part of the GameOver Zeus botnet—and many of which are already blacklisted on VirusTotal. (Note: Although the GameOver Zeus botnet had been dismantled, it now appears to be in a state of resurrection.) It tries about 1,000 different domains until it connects to one. The key point here is that the files will not be encrypted for ransom until the malware reaches a C2 server.

How EnCase Cybersecurity and EnCase Analytics Can Stop CryptoLocker

EnCase Cybersecurity and EnCase Analytics can be used today to perform file metadata scans enterprise-wide, then search all endpoints for evidence of CryptoLocker in the Application Data folder. On its own, EnCase Analytics can be used to detect running processes in the Application Data folder and suspicious connections. EnCase Cybersecurity can be used to search for the registry entries CryptoLocker leaves behind for persistence. If we threat-hunters find either of these before the malware reaches a command-and-control server, we can prevent the encryption of sensitive data for ransom.

The bottom line is this: malware like CryptoLocker always leaves trails behind on the endpoint. This means that endpoint visibility and continuous monitoring using a tool such as EnCase Analytics is vital to detecting these threats before they do any real damage. Comments? War stories? I welcome your thoughts in the Comments section below.